Monthly Archives: December 2007

Charlie needed to connect to Gmail’s nntp folders inside of Outlook. He had ISA’s rules to not be all open and realized it was impacting Gmail.

(Necessary if you’re going to use Outlook rule processing, since SBS
doesn’t include a default rule for this.) You’ll need to add an ISA Rule
to make it work on some machines. I could post the XML file, but it’s
easy enough to set up:

In my opinion a SBS box can’t store, process or transmit credit cards under the PCI/DSS regulations. Even Centro/Essential Business server is probably pushing the envelope of an acceptable setup.

If you want to “pass the test” without having to document your compensating controls, it is my opinion that any server setup in a small firm would not pass muster of 2.2.1

2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)

So how do you handle storing, processing or transmitting credit cards if you are a SMB shop and think that having umpteen servers per role doesn’t gain any security?

Here are some ideas of the ways around the issue:

Storing credit cards — I’d argue that first you don’t store credit cards period. Time Magazine’s headline is that there are record data breeches and many if not most of them are when “data is at rest”. http://www.time.com/time/world/article/0,8599,1699049,00.html It’s from a stolen laptop, or a lost backup tape. Bottom line don’t store credit cards on the server.

Processing credit cards — if you think about many places you can use alternative ways to process them. In our office we have a merchant machine that runs through it’s own network and is not connected to ours.

Transmitting credit cards — the same rules apply. The merchant machine separates out the handling.

“Windows® versions prior to Windows Vista® will, by default, automatically run programs designated in the autorun.inf file on CDs, but not on USB drives. By lying about itself, the U3-enabled USB flash drive fools the OS into autorunning something called the U3 launcher. The U3 launcher, in turn, can start programs, give you a menu, or do pretty much anything that you could do with the computer yourself.”

loadTOCNode(3, ‘notice’);Use authoritative restores only as a final option, such as in the case of directory collisions.

For example, you may require an authoritative restore if you must recover an FRS replica set where replication has completely stopped and requires a rebuild from scratch.

The following list of requirements must be met when before you perform an authoritative FRS restore:

1.

The FRS service must be disabled on all downstream partners (direct and transitive) for the reinitialized replica sets before you restart the FRS service when the authoritative restore has been configured to occur.

2.

Events 13553 and 13516 have been logged in the FRS event log. These events indicate that the membership to the replica set has been established on the computer that is configured for the authoritative restore.

3.

The computer that is configured for the authoritative restore is configured to be authoritative for all the data that you want to replicate to replica set members. This is not the case if you are performing a join on an empty directory. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

266679 (http://support.microsoft.com/kb/266679/) Pre-staging the File Replication service replicated files on SYSVOL and Distributed file system shares for optimal synchronization

4.

All other partners in the replica set must be reinitialized with a nonauthoritative restore.

To complete an authoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:

1.

Click Start, and then click Run.

2.

In the Open box, type cmd and then press ENTER.

3.

In the Command box, type net stop ntfrs.

4.

Click Start, and then click Run.

5.

In the Open box, type regedit and then press ENTER.

6.

Locate the following subkey in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

7.

In the right pane, double click BurFlags.

8.

In the Edit DWORD Value dialog box, type D4 and then click OK.

9.

Quit Registry Editor, and then switch to the Command box.

10.

In the Command box, type net start ntfrs.

11.

Quit the Command box.

When the FRS service is restarted, the following actions occur:

•

The value for the BurFlags registry key is set back to 0.

•

An event 13566 is logged to signal that an authoritative restore is started.

•

Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.

•

The FRS database is rebuilt based on current file inventory.

•

When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

Yup ..it sure did…….

Event Type: InformationEvent Source: NtFrsEvent Category: NoneEvent ID: 13516Date: 12/29/2007Time: 10:54:28 PMUser: N/AComputer: KIKIBITZFINALDescription:The File Replication Service is no longer preventing the computer KIKIBITZFINAL from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.

Ron was adding an Exchange 2007 into a SBS 2003 network and was hitting issues.

Alexander came to the rescue with this answer…

I did such an installation myself.

Guess what!! The schema role transfer is not necessary. Apparently the
author of that article was having some problems with the schema master and
went with a solution that you would only use on a test machine.

By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates. This enables all updates to be accepted by passing the use of secure updates.

So I think the real issue is that as we retire or repurpose old workstations, we’re not removing them in Active Directory like we should.

In server management, when you need to remove an old system, right mouse click and click on Remove Computer from Network. It’s this action that will remove the system from AD as it should and also from WSUS appropriately.

If you read that you can see that the response on setting the scavenging settings can have it’s issues.

By default, the aging and scavenging mechanism for the DNS Server service is disabled. It should only be enabled when all parameters are fully understood. Otherwise, the server could be accidentally configured to delete records that should not be deleted. If a record is accidentally deleted, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones configured for secure dynamic update.

What is probably a better recommended is to periodically right mouse click on DNS, and click on scavenge stale resource records, especially when you are adding a new computer to an existing position (like repurposing a workstation).

For best results, remove the old workstation with the remove computer wizard.

When repurposing a workstation, flip/drop it back to workstation mode and then rerun /connectcomptuer if you plan to use connectcomputer to reattach.

Could you set the DNS to do an automatic scavenge? Brian Desmond says that our networks, setting that probably won’t cause issues. But you have to set it in two places, on a per zone basis and on the DNS server. I think part of our problem is that we’re not removing the computers properly and that’s what’s getting us into trouble. I know when I was reminded of that ‘remove computer from network wizard’ I went… “uh… what remove computer wizard?”

So bottom line, that setting in DHCP doesn’t do what we think it does. And we’re better off clicking on that Scavenge Stale Resource Records every now and then.

We have a few inherited SBS 2003 boxes, in addition to ones we have deployed ourselves. On two of the inherited ones, we were having problems with RWW making connections to specific client machines. It turned out that the machines had multiple DNS A records on the SBS box (accumulated over time when they had changed IP for whatever reason) so RWW was having trouble finding the right IP. This was solved by editing the properties on server in the DHCP MMC, and checking “Enable DNS dynamic updates…” on the DNS tab, thus having the client machines update the SBS DNS each time they pulled a lease. At first I assumed that this was an oversight in the original setup, but as I rolled out new SBS box last weekend I noticed that by default it didn’t have that boxed checked either, so that caused me to wonder if I had solved the original problem in “best practice” manner. So I guess the summary of this question is: Is there a reason why SBS 2003 does not by default “Enable DNS dynamic updates” via DHCP? I assume that the server that DHCP would be updating would be the SBS server, and we’re not talking about external ones (which would have obvious security concerns). One curious thing I did find while I was googling this was: http://www.sbsireland.com/Forums/tabid/52/forumid/5/postid/93/view/topic/Default.aspxWhich made it appear that in fact the SBS setup specifically disables this…which really made me wonder if we had done the right thing…Any direction you could point me in would be very helpful!

Just to let Kris know that I’m still trying to get the official reason as to why SBS 2003 has “Enable DNS dynamic updates” unchecked. Because we don’t have it enabled, you can be like Kris and end up in a situation where the DNS/A records are pointing to the wrong or non existent box.

I think it’s okay to enable that, but I’m checking and will let you know for certain. The way to test for this is to ping the workstation by IP and name and see if it responds to the right IP address that it’s supposed to. If not flush out the offending stale DNS/A workstation (just go into DNS and delete the workstation) and it will repopulate with the right one.

I think it will be okay to change this setting…but I’ll update this post when I know for certain. I’m seeing this issue more and more as we get crustier and move around workstations. Look in your DNS and see if there are workstation/A records that are old and just don’t belong anymore.

Disabling DNS dynamic updates

By disabling the Domain Name System (DNS) dynamic updates function, the responsibility of managing the DNS server is returned to the administrator. Disabling DNS dynamic updates might be suitable for networks where hosts rarely change locations, where growth and change are infrequent, and when stricter DNS server administration is required

Jeff has a great blog post about the issue I see with security certificate notifications… we ignore the warnings and don’t understand them.

My favorite cert issue was the one I spotted on my trade association web site for the login page…. or rather the password reminder page.

The page gives an error with the usual Red IE7 “don’t go here”. Well I went there and then was nosy to see what was the Certificate error. I was expecting a broken certficate chain, a wild card or different domain or something.

Nope. Someone forgot to renew something.

And I’ll bet no one is in the office this week to remember to renew it.

Just for grins I wanted to see the support lifecycles on various platforms.

NOVELL: Support Lifecycle: http://support.novell.com/lifecycle/Novell will provide a minimum of five years General Support for platform and operating system products, including its revisions, starting with the date of a product’s general availability. When General Support ends, Novell will offer extended support for a minimum of two years

redhat.com | RHEL Errata Support Policy: http://www.redhat.com/security/updates/errata/For a period of 7 years from initial release (General Availability), Red Hat will provide errata maintenance for Red Hat Enterprise Linux. To facilitate the rapid adoption of new enterprise hardware and software yet retain the high standard of stability inherent in the Red Hat’s enterprise products, the 7 years is divided into three phases of maintenance.